Researchers compiled a list of more than 500,000 Internet facing control system-related devices on the SHODAN search engine using supervisory control and data acquisition (SCADA) and other ICS-related search terms.
The researchers brought their findings to the attention of ICS-CERT, saying an adversary could use the search engine as a shortcut to find vulnerable systems and thereby threaten or attack critical infrastructure, according to a report on ICS-CERT.
Internet Facing Control System Alert
ICSJWG: Basic, but Effective Security
ICSJWG: Attack Tree Blooms
ICJWG: Whitelisting Project
ICSJWG: Cyber Exercises a Key
ICSJWG: Knowledge Sharing
ICSJWG: Researchers on Same Team
ICS-CERT is working with the researchers and industry partners to notify the owners of the identified IP addresses, but recommends asset owners and operators activate and take a proactive approach and audit their systems to ensure strong authentication/logon credentials and defensive measures are in place.
Owners, operators, and security personnel may use search engines, such as SHODAN or ERIPP, to audit their networks and devices to locate Internet-facing control system devices that may be susceptible to compromise.
Asset owners should query various search engines using the vendor product, model, and version of a device, to determine if their IP address block is within the search results, according to ICS-CERT.
If they discover the control system devices using these tools, asset owners should take the necessary steps to remove these devices from direct or unsecured Internet access as soon as possible.